Posted
by
CmdrTacoon Tuesday May 03, 2011 @02:33PM
from the i-saw-an-unclelode-once dept.

itwbennett writes "The raid that killed Osama bin Laden in Pakistan Sunday also turned up an 'intelligence harvest' of computer-based data that was described by an anonymous government source as 'the motherlode of intelligence.' The data is being sifted through at a secret site in Afghanistan. An unnamed official was quoted by Politico as saying: 'Hundreds of people are going through it now. It's going to be great even if only 10 percent of it is actionable. They cleaned it out. Can you imagine what's on Osama bin Laden's hard drive?'"

People seem to think that suicide bombers are either idiots, complete nutjobs, or hate-filled extremists. I think the truth is more complicated than that.

I've heard stories about how at least some these guys are recruited. It often involves deceit, manipulation and heavy cohesion. They end up getting mixed up with the wrong people (and it can start seemingly innocently and naively). By the end, they end up being threatened or blackmailed, and put in a position where they feel like if they don't do it, they may bring danger or shame to family and loved ones.

I know it's no consolation to their victims, and by no means does it justify their actions, but some of these guys are victims too.

This makes encryption a very useful tool, as the password will literally die with you.

On the other hand, if there's anyone who can crack the encryption without the password, it's probably the US government. Perhaps the common encryption methods are mathematically strong enough to withstand money-is-no-object brute-force, and perhaps the implementations don't have any unpublicized weaknesses (or secret back doors)... but I wouldn't want to bet my evil terrorism network on that.

The NSA has told the world to stop using product-of-prime-numbers based asymmetric encryption. However, TrueCrypt uses symmetric encryption, so that's secure against a brute-force attack... well, except the sort of brute force attack where a Navy SEAL team kicks down your door and shoots you in the face while your computer is running with the TrueCrypt volume mounted - then it's easy. Hooah!

My guess is there is rhyme and reason to why they're making this announcement so public Say what you will about the bureaucrats who run these bureaus but they understand the relationships you described above and these are not idle statements.

Most individuals, upon completing a university education should have been exposed to Sun Tzu's "Art of War" and the wisdom on prevailing in conflicts explored in that text has stood 5,000 years of scrutiny. So what I'm saying is, don't underestimate this action. Our politicians are stupid because they pander to groups, thereby inducing the lowest common denominator. They often make the bureaucrats look stupid with their double-talk and ineptitudes, but perception is rarely reality.

Ideologically you may disagree with these people, but make no mistake about it, this was planned action and not a mere oversight.

He further assumes that Truecrypt does not provide a backdoor to NSA for this in the first place.

Truecrypt is open source. No, I haven't looked at it myself, but it only takes one person to rat such a thing out. It's not probable that nobody has seen it yet, save the ones in on the conspiracy. Possible yes, but highly unlikely.

Truecrypt is open source. No, I haven't looked at it myself, but it only takes one person to rat such a thing out.

Encryption is hard. Really hard to do right.

The NSA can hire the best. It's entirely possible that they (or some other comparable agency) hired somebody to inject a weakness into it's algorithms that would only be noticed in a code audit by somebody extremely skilled in the art. I'm not saying there's a backdoor such as "if you == NSA, decrypt everything!" but there may be something that greatly restricts the key combination that must be tested to crack it or something.

You also assume that they didn't use a weak password. You would be shocked how many really smart people don't know the difference between a week and a strong password.Also I would bet that the NSA has at least the computing power of a Cray Jaguar or two or three to throw at this. With that much power anything but a very long and totally random string of characters would probably be too weak.

The combined Rpeak of the top 10 supercomputers is about 19 teraFLOPS, let's assume that equals to about 40 trillion integer operations per second.

Let's use 128-bit AES, so there's 2^128 possible keys.

just to increment through all those keys, never mind checking them, would require those systems for 269,000,000,000,000,000 years. While you'd probably find the right key in about half that time, it will still be long after the last stars go cold and dark.

While I think the idea of the NSA putting a backdoor into an open source project is pure tin-foil hat territory

Let me get this straight: You think the idea that one of the nation's most secretive intelligence agencies would be doing something in secret that allows them to gain intelligence is "tin-foil hat territory"? How do you know which contributors to TrueCrypt are working for the NSA? How could you ever know?

It just strikes me as strange that people who would be paranoid enough to encrypt their [probably completely banal and uninteresting] data, when told that their encryption might not actually prevent the world's top spies from accessing said data, would brush off the idea as simple paranoia. Make up your mind, folks: Are you paranoid or aren't you?

I agree. It would be wise to assume that even if the NSA doesn't have the equivalent of a back door, they could well exploit weakness in the software, especially if the user gets just a tiny bit sloppy and lets his paranoia slip just a bit (e.g. leaving plaintext in the hibernate file).

What is interesting is to take this line of reasoning back to the apparent claim that our analysts are already going to town on the stuff they picked up in the Waziristan Mansion. Either (a) those claims are bogus or (b) Os

Osama's survival for so long so champion at the art of discriminating paranoia. So why didn't he use encryption? If we assume he was acting rationally, it must be because he considered the risk of his computer falling into the hands of the enemy negligible compared to the other risks he was running. Either he got cocky, or he didn't give a damn what happened after he was out of the picture.

It's possible. One rule of thumb that's been practiced by revolutionary cells for years is: Keep quiet for 24 hours. They will torture you. Endure the torture. Do everything within your power to tell them nothing... for 24 hours. Then talk. After 24 hours, tell them anything they want to hear. Tell them everything. It won't matter, because you're just one guy, and after 24 hours, nothing in your head will be of any real use to them anymore.

I guess I mostly object to the use of "secret" as a synonym for "covert". But people seem to have the impression that it's trivially easy for the NSA to get someone to volunteer on TrueCrypt, have them modify the cryptography, and subtlety insert a weakness that goes unnoticed by everyone else. You can't just show up and make a few commits -- what sort of managers of a crypto product would allow that?

But yes, you could *covertly* make changes to TrueCrypt that result in a security flaw, but you can't really

For example, if someone modified the code to completely break the entropy generation in a widely used cryptography library in a major Linux distribution, with the effect that you only had to search 32768 possibilities in order break "4096 bit" cryptography, the benefit of open source is that it would be spotted immediately.
No, wait... [formortals.com]
One interpretation of that disaster is that people who were completely unqualified to work on crypto code made a stupid mistake. Another is that people who were most certa

This presumes that we're not already watching those suspected safehouses and banking accounts, and won't also make not of a sudden flurry of activity hours after it was announced that Osama Bin Laden was dead. If they suspect that we will get access to it sooner or later, then they have to make their changes quickly. If you suddenly see 30 men with RPGs and AK-47's rushing out of a suspected safehouse carrying dozens of crates labeled "Caution: High Explosive!", well... perhaps those guys are worth watch

I would imagine a big old truecrypt partition, though perhaps he didn't encrypt things for some reason?

The guy was 54 and the latter part of those years was spent in some pretty remote areas. I doubt he had much expertise in computer security. They probably relied much more on physical security, i.e. being to blow all their stuff up if the shit hit the fan (or their stuff going up in same bombing raid as them.)

I would imagine a big old truecrypt partition, though perhaps he didn't encrypt things for some reason?

The guy was 54 and the latter part of those years was spent in some pretty remote areas. I doubt he had much expertise in computer security. They probably relied much more on physical security, i.e. being to blow all their stuff up if the shit hit the fan (or their stuff going up in same bombing raid as them.)

Not to mention, he escaped from the Afghan caves and has been successfully hiding from authorities for the better part of 6 years. That might have helped make him more careless in security matters ( such as "They couldn't catch me! Ha!" or "They missed me once, and haven't been able to find the backside of their own hands since my Pakistani colleagues have been feeding them shit for intelligence").

As I recall, Wikileaks leaked very little counterterrorism intel. Most of it was governmental and corporate shenanigans. So, governments do underhanded deals that they have absolutely no business doing, and departments clam up on info sharing because governments want to keep those shady deals (not counterterrorism intel) a secret from the general public, and you're blaming Wikileaks for the next terrorist strike? Nice...

Governments don't actually face a choice between "share info and have leaks" or "don't share info and don't". That's a false dichotomy.

Leaks tend to happen when things are being covered up that should not be covered up. Leakers take huge risks, as the sad case of Mannings treatment shows. They don't tend to do it for shits and giggles, or because of some anarchic belief that all secrets are bad. In the case of the Manning dumps he did it because he thought there were a lot of scandals and other things being wrongly suppressed.... and he was right!

So we can see there's a third option, which is, don't cover up large numbers of scandals. Instead when you screw up, admit it, and ensure everyone can see the measures to take to prevent repeat incidents. There are plenty of organizations that do this. The US Govt is not one of them.

... he wasn't actively commanding his organization since going into hiding. However I would hope that his data contains names of most of the AQ leadership, so perhaps some new names will come to light. It would be nice if the location of his #2 was discovered and exploited.

Encryption only really works if you do it right, every time. Screw up only once, and you could leave enough crumbs to compromise it all.

We're talking about the NSA getting this drive. So by doing it right you mean everything's encrypted and in the event of a raid the drive is melted with thermite, mixed with neodymium magnet dust, placed in a 5T magnetic field, stepped on by five elephants, mixed into bird food and fed to a flock of >100 migratory birds.

If he's smart he would've not only encrypted everything but most of the information would be intentionally misleading or low-value, making whoever got it not only have to work to decrypt it but to have sort out what's real and useful and what's not.

This is, this is just the kind of ultra important stuff where some is _actually_ going to use obscene amounts of processing power and analysis if required to get access to the data.

Encryption is a deterant.. 99% of the time the effort required to break said encryption is out of imagination for the value of the data... in this rare case, all the resources of the US military and possibly even other governments are available for use. They'd analyse every IC in the machine and put entire server farms to work on it to get the key.. unless he was very good with his computing practices... they'd get their data.

I'm guessing there are lots and lots of cells of Al Qaeda whose presence can be identified by the giant brown stains spreading across the floor.

Certainly, OBL wasn't stupid - he'll have kept himself as cut-out as possible, against just this eventuality. Nevertheless, most intelligence is valuable when triangulated with other data, and oh man did we just gain a doozy of a viewpoint.

The immediate targets this will provide may only be good for about 6 months before the value evaporates. The subsequent ripple

The guy has a 25 *million* dollar bounty on his head, he knows the worlds biggest military is hunting him 24/7, and he has large amounts of data near his person ?
?Whenever you hear or read of someone who is descrbing bin Ladin as the evil mastermind, you can take out the mind part....
Or, as Smiley says, Moscow rules - you write on edible paper, one sheet of paper at a time on a glass surface, and always have a means of disposing of hte info should you be captured.

To the most exalted Emir of the al-Umma: Hope this report finds Your Caliphate in excellent health and kind disposition. Our Third Sher-e-Umma division has breached through the shores of Dover, England and we hope to annex it and bring the UK from dar-ul-haarb to dar-ul-islam in a few days, inshah allah. On the other side of the Atlantic the Zulficar-e-Islami army has conquered Alabama, Texas and Kentucky. We will soon be besieging the capital of the Great Satan next month. inshah allah.

As with other patronymics (e.g. the Scottish "Mac"), it's often used as a general family name, inherited for multiple generations. Osama bin Laden's father is Muhammad bin Laden. The original "Laden" is unknown, but goes back at least a century.

So it's perfectly reasonable to call him "bin Laden". It's his family name, at least a few generations back. Confusion arises only as with every other family name, in that there are a lot of bin Ladens out there, and you'd have to use his full name to be clear. But using just his first name would be equivalent to referring to the Chancellor of Germany as "Angela" or the Prime Minister of the UK as "Gordon": it's their personal name, and rarely used alone in public discourse.

You could use it that was as a deliberate insult of over familiarity. The New York Times took the unusual step of referring to him just as "bin Laden" rather than "Mr. bin Laden", which they reserve generally for the worst of the worst.

That's kind of a trite and glib statement, and one we've heard a lot. When I was in the military I heard people say quite often "If Osama thinks strapping a bomb to your chest to kill infidels is such a good idea, why doesn't he do it?" The answer to that is simply, the same reason George W. Bush didn't grab an M-16 and head to Fallujah.

Osama Bin Laden's organization needed a LOT of money to keep going. Money to pay for food and housing for all of the thousands of followers who are not actually working or doing anything useful. Money for travel, equipment, supplies, bribes, etc. Those hard drives will probably show exactly WHO was supporting these terrorists. Which banks were laundering money money donations to make it available to Osama Bin Laden? Maybe JPMorgan Chase was Osama's banker like they were Bernie Madoff's banker. Who was issuing them credit cards? Which foreign governments were enabling them to travel by issuing passports, visas, and other documents? The Osama Bin Laden people were very sophisticated in how they approached their terrorist activities...that was OBL's 'innovation'...and now it may all come unraveled. There are plenty of young men with rifles running around the Afghanistan hills who hate the West...or what little they know of it...but that does not make them into terrorists capable of carrying out a sophisticated act of terror in another country. That OBL data may help ID a few new faces but mostly it will be the leads to the money trail that will bring the global terror activities to an end.

Not really. The 9/11 attack only cost about $200,000 to execute. Al-Queda was never that big. In recent years it's been more of a loose coordinating group for various militant factions. In its best years, Al-Queda raised maybe $30 million [unt.edu]. That decreased as the US found ways to cut off its funding sources.